diff options
author | Sunil Ravi <sunilravi@google.com> | 2019-11-21 14:40:24 -0800 |
---|---|---|
committer | Sunil Ravi <sunilravi@google.com> | 2019-11-22 11:30:27 -0800 |
commit | 79bc3a0103c4c5d4ee065b6260d86881ebd97f5e (patch) | |
tree | 6cd4901762be13a16cc57cc421b2f17c89e47b17 | |
parent | 4e2bb36488a96a60e4e9acf2ae7c092eb15ae5d6 (diff) | |
download | qca-wfi-host-cmn-79bc3a0103c4c5d4ee065b6260d86881ebd97f5e.tar.gz |
qcacmn: Fix zero size malloc when memory debug is disabledandroid-10.0.0_r0.42android-10.0.0_r0.35android-msm-coral-4.14-android10-qpr1
In SLUB disabled builds, the qdf_mem_malloc calls the
qdf_mem_malloc_fl function which doesn't
validate if the size provided is 0 and returns the value
ZERO_SIZE_PTR(((void *)16)) for the pointer. When this pointer
is dereferenced, it causes invalid address dereference.
Validate if the size parameter provided to qdf_mem_malloc is
0 or greater than QDF_MEM_MAX_MALLOC. Return failure if the
validation fails.
Bug: 144843138
Change-Id: I8fc6bc796847e9dd3dfd5186b0386d323560d0cf
CRs-Fixed: 2571505
Signed-off-by: Sunil Ravi <sunilravi@google.com>
-rw-r--r-- | qdf/linux/src/qdf_mem.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/qdf/linux/src/qdf_mem.c b/qdf/linux/src/qdf_mem.c index 39d55dbb0..b85bddfc4 100644 --- a/qdf/linux/src/qdf_mem.c +++ b/qdf/linux/src/qdf_mem.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -48,15 +48,15 @@ #include <net/cnss_prealloc.h> #endif -#ifdef MEMORY_DEBUG -#include "qdf_debug_domain.h" -#include <qdf_list.h> - /* Preprocessor Definitions and Constants */ #define QDF_MEM_MAX_MALLOC (4096 * 1024) /* 4 Mega Bytes */ #define QDF_MEM_WARN_THRESHOLD 300 /* ms */ #define QDF_DEBUG_STRING_SIZE 512 +#ifdef MEMORY_DEBUG +#include "qdf_debug_domain.h" +#include <qdf_list.h> + static qdf_list_t qdf_mem_domains[QDF_DEBUG_DOMAIN_COUNT]; static qdf_spinlock_t qdf_mem_list_lock; @@ -1178,6 +1178,11 @@ void *qdf_mem_malloc(size_t size) { void *ptr; + if (!size || size > QDF_MEM_MAX_MALLOC) { + qdf_err("Cannot malloc %zu bytes", size); + return NULL; + } + ptr = qdf_mem_prealloc_get(size); if (ptr) return ptr; |